Coact wasn't launched and isn't currently under development. This post is simply here for archival purposes and general interest. We may come back to this in the future.
Historically, all aTech Media products used our own SSO system called aTech Identity. Unfortunately, this method introduces unnecessary complexity when you want to allow your clients to login as they may not be as familiar with the system as your own team.
Having said that, we do still need to allow an e-mail address to be used across multiple Coact accounts. For example, a team member at Bloggs' Bakery with the address firstname.lastname@example.org may be a client of Fleur's Flour Emporium with the same e-mail address. Whenever they login, they will need to be prompted which account they actually want to use.
We've kept our single sign on very simple - we host a tiny application at login.letscoact.com which all users will be directed to when they need to login. On this site, users will be prompted to enter their e-mail address and their password and, if they're correct, they will be given a choice of accounts to login to.
Inviting a user
When you want to invite a team member or client to your Coact account, you will simply need to enter their e-mail address and send them a message inviting them to login. This e-mail will contain a link which will allow them to fully activate their account. If an account exists for their e-mail address, it will ask them to enter their existing password otherwise, it will simply ask them to choose a password.
Behind the scenes
The login system will keep all the passwords safely and they will not be transferred to the actual application. The login system has the power to log any user into any Coact account by simply creating a login token containing the e-mail address of the user, the account to login to and a UUID. The user is then directed to
/login/:token and the application will find which account & user corresponds with the given UUID and log them in, while also invalidating the token.
- User enters login details at login.letscoact.com
- If the user has more than one account, it displays a list of accounts associated with that e-mail address.
- A login token is generated with a random UUID plus the e-mail address & account which the user wants to login to.
- The user is redirected to the Coact domain for the account they wish to login to along with the login token.
- Coact will make a request to the login service with the UUID and get the e-mail address and account which authenticated.
- If the token is valid, a session will be created for the user on the account which has the same e-mail address.
If they user wishes to change their password, they will be able to do so through either the application or login system.
That's about all there is to it.